rex 2.0.8 → 2.0.9

data/lib/rex/proto/http/client.rb

@@ -58,7 +58,6 @@ class Client
       'method_random_case'     => 'bool',
       'version_random_valid'   => 'bool',
       'version_random_invalid' => 'bool',
-      'version_random_case'    => 'bool',
       'uri_dir_self_reference' => 'bool',
       'uri_dir_fake_relative'  => 'bool',
       'uri_use_backslashes'    => 'bool',
@@ -579,14 +578,15 @@ class Client
 
       rv = nil
       while (
+               not conn.closed? and
                rv != Packet::ParseCode::Completed and
                rv != Packet::ParseCode::Error
               )
 
         begin
 
-          buff = conn.get_once(-1, 1)
-          rv   = resp.parse( buff || '' )
+          buff = conn.get_once(resp.max_data, 1)
+          rv   = resp.parse(buff || '')
 
         # Handle unexpected disconnects
         rescue ::Errno::EPIPE, ::EOFError, ::IOError

data/lib/rex/proto/http/client_request.rb

@@ -52,7 +52,6 @@ class ClientRequest
     'method_random_case'     => false,   # bool
     'version_random_valid'   => false,   # bool
     'version_random_invalid' => false,   # bool
-    'version_random_case'    => false,   # bool
     'uri_dir_self_reference' => false,   # bool
     'uri_dir_fake_relative'  => false,   # bool
     'uri_use_backslashes'    => false,   # bool
@@ -344,10 +343,6 @@ class ClientRequest
       ret = Rex::Text.rand_text_alphanumeric(rand(20)+1)
     end
 
-    if (opts['version_random_case'])
-      ret = Rex::Text.to_rand_case(ret)
-    end
-
     ret << "\r\n"
   end
 

data/lib/rex/proto/http/response.rb

@@ -1,6 +1,8 @@
 # -*- coding: binary -*-
 require 'uri'
 require 'rex/proto/http'
+require 'nokogiri'
+require 'rkelly'
 
 module Rex
 module Proto
@@ -82,6 +84,90 @@ class Response < Packet
     return cookies.strip
   end
 
+
+  # Returns a parsed HTML document.
+  # Instead of using regexes to parse the HTML body, you should use this and use the Nokogiri API.
+  #
+  # @see http://www.nokogiri.org/
+  # @return [Nokogiri::HTML::Document]
+  def get_html_document
+    Nokogiri::HTML(self.body)
+  end
+
+  # Returns a parsed XML document.
+  # Instead of using regexes to parse the XML body, you should use this and use the Nokogiri API.
+  #
+  # @see http://www.nokogiri.org/
+  # @return [Nokogiri::XML::Document]
+  def get_xml_document
+    Nokogiri::XML(self.body)
+  end
+
+  # Returns a parsed json document.
+  # Instead of using regexes to parse the JSON body, you should use this.
+  #
+  # @return [Hash]
+  def get_json_document
+    json = []
+
+    begin
+      json = JSON.parse(self.body)
+    rescue JSON::ParserError => e
+      elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
+    end
+
+    json
+  end
+
+  # Returns meta tags.
+  # You will probably want to use this the web app's version info (or other stuff) can be found
+  # in the metadata.
+  #
+  # @return [Array<Nokogiri::XML::Element>]
+  def get_html_meta_elements
+    n = get_html_document
+    n.search('//meta')
+  end
+
+  # Returns parsed JavaScript blocks.
+  # The parsed version is a RKelly object that allows you to be able do advanced parsing.
+  #
+  # @see https://github.com/tenderlove/rkelly
+  # @return [Array<RKelly::Nodes::SourceElementsNode>]
+  def get_html_scripts
+    n = get_html_document
+    rkelly = RKelly::Parser.new
+    n.search('//script').map { |s| rkelly.parse(s.text) }
+  end
+
+
+  # Returns a collection of found hidden inputs
+  #
+  # @return [Array<Hash>] An array, each element represents a form that contains a hash of found hidden inputs
+  #  * 'name' [String] The hidden input's original name. The value is the hidden input's original value.
+  # @example
+  #  res = send_request_cgi('uri'=>'/')
+  #  inputs = res.get_hidden_inputs
+  #  session_id = inputs[0]['sessionid'] # The first form's 'sessionid' hidden input
+  def get_hidden_inputs
+    forms = []
+    noko = get_html_document
+    noko.search("form").each_entry do |form|
+      found_inputs = {}
+      form.search("input").each_entry do |input|
+        input_type = input.attributes['type'] ? input.attributes['type'].value : ''
+        next if input_type !~ /hidden/i
+
+        input_name = input.attributes['name'] ? input.attributes['name'].value : ''
+        input_value = input.attributes['value'] ? input.attributes['value'].value : ''
+        found_inputs[input_name] = input_value unless input_name.empty?
+      end
+      forms << found_inputs unless found_inputs.empty?
+    end
+
+    forms
+  end
+
   #
   # Updates the various parts of the HTTP response command string.
   #

data/lib/rex/proto/ipmi/utils.rb

@@ -15,8 +15,8 @@ class Utils
   def self.create_ipmi_getchannel_probe
     [   # Get Channel Authentication Capabilities
       0x06, 0x00, 0xff, 0x07, # RMCP Header
-      0x00, 0x00, 0x00, 0x00, 
-      0x00, 0x00, 0x00, 0x00, 0x00, 0x09, 0x20, 0x18, 
+      0x00, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x09, 0x20, 0x18,
       0xc8, 0x81, 0x00, 0x38, 0x8e, 0x04, 0xb5
     ].pack("C*")
   end
@@ -36,20 +36,20 @@ class Utils
       0x00, 0x00,
       # Reserved
       0x00, 0x00
-    ].pack("C*") + 
+    ].pack("C*") +
     console_session_id +
     [
-      0x00, 0x00, 0x00, 0x08, 
+      0x00, 0x00, 0x00, 0x08,
       0x01, 0x00, 0x00, 0x00,
-      0x01, 0x00, 0x00, 0x08, 
+      0x01, 0x00, 0x00, 0x08,
       # HMAC-SHA1
-      0x01, 0x00, 0x00, 0x00, 
-      0x02, 0x00, 0x00, 0x08, 
+      0x01, 0x00, 0x00, 0x00,
+      0x02, 0x00, 0x00, 0x08,
       # AES Encryption
       0x01, 0x00, 0x00, 0x00
     ].pack("C*")
 
-    head + [data.length].pack('v') + data 
+    head + [data.length].pack('v') + data
   end
 
 
@@ -68,39 +68,43 @@ class Utils
       0x00, 0x00,
       # Reserved
       0x00, 0x00
-    ].pack("C*") + 
+    ].pack("C*") +
     console_session_id +
     [
-      0x00, 0x00, 0x00, 0x08, 
+      0x00, 0x00, 0x00, 0x08,
       # Cipher 0
       0x00, 0x00, 0x00, 0x00,
       0x01, 0x00, 0x00, 0x08,
       # Cipher 0
       0x00, 0x00, 0x00, 0x00,
       0x02, 0x00, 0x00, 0x08,
-      # No Encryption 
+      # No Encryption
       0x00, 0x00, 0x00, 0x00
     ].pack("C*")
 
-    head + [data.length].pack('v') + data 
+    head + [data.length].pack('v') + data
   end
 
   def self.create_ipmi_rakp_1(bmc_session_id, console_random_id, username)
-    [
+    head = [
       0x06, 0x00, 0xff, 0x07,  # RMCP Header
       0x06,                    # RMCP+ Authentication Type
       PAYLOAD_RAKP1,           # Payload Type
-      0x00, 0x00, 
-      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x21, 0x00, 
-      0x00, 0x00, 0x00, 0x00
-    ].pack("C*") +
-    bmc_session_id +
-    console_random_id +
-    [
-      0x14, 0x00, 0x00, 
-      username.length
-    ].pack("C*") + 
-    username
+      0x00, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x00, 0x00,
+    ].pack("C*")
+
+    data =
+      [0x00, 0x00, 0x00, 0x00].pack("C*") +
+      bmc_session_id +
+      console_random_id +
+      [
+        0x14, 0x00, 0x00,
+        username.length
+      ].pack("C*") +
+      username
+
+    head + [data.length].pack('v') + data
   end
 
 
@@ -109,7 +113,7 @@ class Utils
     bmc_sid +
     con_rid +
     bmc_rid +
-    bmc_gid + 
+    bmc_gid +
     [ auth_level ].pack("C") +
     [ username.length ].pack("C") +
     username
@@ -122,4 +126,4 @@ class Utils
 end
 end
 end
-end
+end

data/lib/rex/proto/kerberos/client.rb

@@ -187,7 +187,7 @@ module Rex
 
         # Decodes a Kerberos response
         #
-        # @param input [String] the raw response message
+        # @param data [String] the raw response message
         # @return [<Rex::Proto::Kerberos::Model::KrbError, Rex::Proto::Kerberos::Model::KdcResponse>] the kerberos message response
         # @raise [RuntimeError] if the response can't be processed
         def decode_kerb_response(data)

data/lib/rex/proto/kerberos/model/kdc_request.rb

@@ -118,7 +118,7 @@ module Rex
               when 4
                 self.req_body = decode_asn1_req_body(val)
               else
-                raise ::RuntimeError, 'Filed to decode KdcRequest SEQUENCE'
+                raise ::RuntimeError, 'Failed to decode KdcRequest SEQUENCE'
               end
             end
           end
@@ -163,4 +163,4 @@ module Rex
       end
     end
   end
-end
+end

data/lib/rex/proto/rfb/client.rb

@@ -24,7 +24,7 @@ class Client
     @opts = opts
 
     @banner = nil
-    @majver = MajorVersion
+    @majver = MajorVersions
     @minver = -1
     @auth_types = []
   end
@@ -50,7 +50,7 @@ class Client
 
     if @banner =~ /RFB ([0-9]{3})\.([0-9]{3})/
       maj = $1.to_i
-      if maj != MajorVersion
+      unless MajorVersions.include?(maj)
         @error = "Invalid major version number: #{maj}"
         return false
       end
@@ -61,7 +61,12 @@ class Client
 
     @minver = $2.to_i
 
-    our_ver = "RFB %03d.%03d\n" % [MajorVersion, @minver]
+    # Forces version 3 to be used. This adds support  for version 4 servers.
+    # It may be necessary to hardcode minver as well.
+    # TODO: Add support for Version 4.
+    # Version 4 adds additional information to the packet regarding supported
+    # authentication types.
+    our_ver = "RFB %03d.%03d\n" % [3, @minver]
     @sock.put(our_ver)
 
     true

data/lib/rex/proto/rfb/constants.rb

@@ -19,7 +19,7 @@ module RFB
 DefaultPort = 5900
 
 # Version information
-MajorVersion = 3
+MajorVersions = [3, 4]
 # NOTE: We will emulate whatever minor version the server reports.
 
 # Security types

data/lib/rex/proto/rmi.rb

@@ -3,5 +3,7 @@
 # JAVA RMI Wire protocol implementation
 # http://docs.oracle.com/javase/7/docs/platform/rmi/spec/rmi-protocol.html
 
+require 'rex/proto/rmi/exception'
+require 'rex/proto/rmi/decode_error'
 require 'rex/proto/rmi/model'
 

data/lib/rex/proto/rmi/decode_error.rb

@@ -0,0 +1,10 @@
+# -*- coding: binary -*-
+
+module Rex
+  module Proto
+    module Rmi
+      class DecodeError < ::RuntimeError
+      end
+    end
+  end
+end

data/lib/rex/proto/rmi/exception.rb

@@ -0,0 +1,10 @@
+# -*- coding: binary -*-
+
+module Rex
+  module Proto
+    module Rmi
+      class Exception < ::RuntimeError
+      end
+    end
+  end
+end

data/lib/rex/proto/rmi/model.rb

@@ -15,6 +15,8 @@ module Rex
         PROTOCOL_NOT_SUPPORTED = 0x4f
         RETURN_DATA            = 0x51
         PING_ACK               = 0x53
+        RETURN_VALUE           = 1
+        RETURN_EXCEPTION       = 2
       end
     end
   end
@@ -24,7 +26,10 @@ require 'rex/proto/rmi/model/element'
 require 'rex/proto/rmi/model/output_header'
 require 'rex/proto/rmi/model/protocol_ack'
 require 'rex/proto/rmi/model/continuation'
+require 'rex/proto/rmi/model/unique_identifier'
+require 'rex/proto/rmi/model/call_data'
 require 'rex/proto/rmi/model/call'
+require 'rex/proto/rmi/model/return_value'
 require 'rex/proto/rmi/model/return_data'
 require 'rex/proto/rmi/model/dgc_ack'
 require 'rex/proto/rmi/model/ping'

data/lib/rex/proto/rmi/model/call.rb

@@ -11,7 +11,7 @@ module Rex
           #   @return [Fixnum] the message id
           attr_accessor :message_id
           # @!attribute call_data
-          #   @return [Rex::Java::Serialization::Model::Stream] the serialized call data
+          #   @return [Rex::Proto::Rmi::Model::CallData] the call data
           attr_accessor :call_data
 
           private
@@ -20,11 +20,11 @@ module Rex
           #
           # @param io [IO] the IO to read from
           # @return [String]
-          # @raise [RuntimeError] if fails to decode the message id
+          # @raise [Rex::Proto::Rmi::DecodeError] if fails to decode the message id
           def decode_message_id(io)
             message_id = read_byte(io)
             unless message_id == CALL_MESSAGE
-              raise ::RuntimeError, 'Failed to decode Call message id'
+              raise Rex::Proto::Rmi::DecodeError, 'Failed to decode Call message id'
             end
 
             message_id
@@ -35,7 +35,7 @@ module Rex
           # @param io [IO] the IO to read from
           # @return [Rex::Java::Serialization::Model::Stream]
           def decode_call_data(io)
-            call_data = Rex::Java::Serialization::Model::Stream.decode(io)
+            call_data = Rex::Proto::Rmi::Model::CallData.decode(io)
 
             call_data
           end

data/lib/rex/proto/rmi/model/call_data.rb

@@ -0,0 +1,137 @@
+# -*- coding: binary -*-
+
+module Rex
+  module Proto
+    module Rmi
+      module Model
+        # This class provides a representation of an RMI return value
+        class CallData < Element
+
+          # @!attribute object_number
+          #   @return [Fixnum] Random to identify the object being called
+          attr_accessor :object_number
+          # @!attribute uid
+          #   @return [Rex::Proto::Rmi::Model::UniqueIdentifier] unique identifier for the target to call
+          attr_accessor :uid
+          # @!attribute operation
+          #   @return [Fixnum] On JDK 1.1 stub protocol the operation index in the interface. On JDK 1.2
+          #     it is -1.
+          attr_accessor :operation
+          # @!attribute hash
+          #   @return [Fixnum] On JDK 1.1 stub protocol the stub's interface hash. On JDK1.2 is a hash
+          #     representing the method to call.
+          attr_accessor :hash
+          # @!attribute arguments
+          #   @return [Array] the returned exception or value according to code
+          attr_accessor :arguments
+
+          # Encodes the Rex::Proto::Rmi::Model::CallData into an String.
+          #
+          # @return [String]
+          def encode
+            stream = Rex::Java::Serialization::Model::Stream.new
+            block_data = Rex::Java::Serialization::Model::BlockData.new(nil, encode_object_number + encode_uid + encode_operation + encode_hash)
+
+            stream.contents << block_data
+            stream.contents += arguments
+
+            stream.encode
+          end
+
+          # Decodes the Rex::Proto::Rmi::Model::CallData from the input.
+          #
+          # @param io [IO] the IO to read from
+          # @return [Rex::Proto::Rmi::Model::CallData]
+          def decode(io)
+            stream = Rex::Java::Serialization::Model::Stream.decode(io)
+
+            block_data = stream.contents[0]
+            block_data_io = StringIO.new(block_data.contents, 'rb')
+
+            self.object_number = decode_object_number(block_data_io)
+            self.uid = decode_uid(block_data_io)
+            self.operation = decode_operation(block_data_io)
+            self.hash = decode_hash(block_data_io)
+            self.arguments = []
+
+            stream.contents[1..stream.contents.length - 1].each do |content|
+              self.arguments << content
+            end
+
+            self
+          end
+
+          private
+
+          # Reads the object number from the IO
+          #
+          # @param io [IO] the IO to read from
+          # @return [Fixnum]
+          def decode_object_number(io)
+            object_number = read_long(io)
+
+            object_number
+          end
+
+          # Reads and deserializes the uid from the IO
+          #
+          # @param io [IO] the IO to read from
+          # @return [Rex::Proto::Rmi::Model::UniqueIdentifier]
+          def decode_uid(io)
+            uid = Rex::Proto::Rmi::Model::UniqueIdentifier.decode(io)
+
+            uid
+          end
+
+          # Reads the operation from the IO
+          #
+          # @param io [IO] the IO to read from
+          # @return [Fixnum]
+          def decode_operation(io)
+            operation = read_int(io)
+
+            operation
+          end
+
+          # Reads the hash from the IO
+          #
+          # @param io [IO] the IO to read from
+          # @return [Fixnum]
+          def decode_hash(io)
+            hash = read_long(io)
+
+            hash
+          end
+
+          # Encodes the code field
+          #
+          # @return [String]
+          def encode_object_number
+            [object_number].pack('q>')
+          end
+
+          # Encodes the uid field
+          #
+          # @return [String]
+          def encode_uid
+            uid.encode
+          end
+
+          # Encodes the operation field
+          #
+          # @return [String]
+          def encode_operation
+            [operation].pack('l>')
+          end
+
+          # Encodes the hash field
+          #
+          # @return [String]
+          def encode_hash
+            [hash].pack('q>')
+          end
+        end
+      end
+    end
+  end
+end